WordPress: When Half of all Websites are Vulnerable

On April 21, WordPress issued a critical security release and “strongly encouraged” their customers to update their webites “immediately.” In general, the use of these alarming terms is symptomatic of a significant threat. And it is indeed.

WordPress is so overwhelming the CMS market that nearly 50% of all websites are based on it. This recent security release fixes multiple vulnerabilities so important that an attacker may be able to obtain administrator access on any of those millions of websites. The most sensitive vulnerability is targeting WordPress version 4.1.1 and earlier.

First, MySQL Takes Liberties with UTF-8

Researcher Cedric Van Bockhaven discovered that the UTF-8 charset used by MySQL was only supporting 3-byte characters, which is more than enough for almost all modern languages (BMP), but not for the supplementary characters (SMP) such as the beautiful U+1F3A0 Carousel Horse or the cute U+1F425 Front-facing Baby Chick…

If you try to insert a string containing one of these magnificent animals in a UTF-8 column, MySQL will truncate the string after the 4-byte character and warn its administrator about an “Incorrect string value”. The only way to prevent this kind of insertion is to turn MySQL in strict mode, which is not set by default.

Unfortunately, WordPress is fully based on MySQL and doesn’t use the strict mode…

Here Comes the XSS

When it is about truncation, Cross-site Scripting (XSS) is never far away. Van Bockhaven discovered that the same UTF-8 truncation behavior made it possible to exploit WordPress comment functionality and insert scripts, whatever the WP theme. He could change passwords, create new administrator profile and barely execute any action on the CMS.

Another exploit was disclosed just one day later, based on the same truncation issue. Jouko Pynnönen found that MySQL TEXT type size is limited to 64 kilobytes. It means that a very long comment will be truncated just like Van Bockhaven’s 4-byte character, with the same consequences. To fix this second vulnerability, WordPress issued a new security release (4.2.1)

The Good News

WordPress security team fixed the UTF-8 issue with the security release 4.1.2 and now fully supports 4-byte characters, by changing the default MySQL charset to UTF-8MB4. One week later, another security release (4.2.1) fixed the truncation issue while inserting special characters or long comments. It will prevent XSS using theses vulnerabilities.

They have also fixed a few other security issues about XSS again into an older version and SQL injection into some vulnerable plugins.

How Qualys Web Application Firewall Handles XSS and SQL Injection

Qualys Web Application Firewall detects both WordPress XSS and SQLi vulnerabilities with proper settings: confidence 80 and severity 60 on XSS parameter. In other words, with these settings, it protects an unpatched WordPress instance from the vulnerabilities described above. Its self-updating scoring engine is able to recognize any form of cross-site scripting or SQL injection, block or log the attempt and alert the administrators.

Qualys WAF 2.0 with virtual patching and exceptions management allows its users to deploy strong security policies without requiring much time to handle false positives or complex configurations.

Code fixing can take months—in this case, it took 14 months for WordPress to release their patch. The Web Application Firewall is the fastest remediation and prevention method for web applications. It allows companies to run a secure web environment during the fixing period or between maintenance timeframes that allow the applications to be upgraded.